小贝子编程

Python MySQLdb语法错误,语法似乎正确



我正在尝试使用以下代码对MySQL表中名为N_NUMBER的列进行简单检索:

from os.path import join, dirname
from dotenv import load_dotenv
import MySQLdb    
TABLE_NAME = 'testmaster'
dotenv_path = join(dirname(__file__), '.env')
load_dotenv(dotenv_path) # loads the .env
dbName = os.environ.get('DB_NAME')
mydb = MySQLdb.connect(host=os.environ.get('DB_HOST'), user=os.environ.get('DB_USER'), passwd=os.environ.get('DB_PASS'), db=dbName)
cursor = mydb.cursor()
cursor.execute("SELECT N_NUMBER FROM %s", (TABLE_NAME,))

我每次都会继续得到相同的Traceback,那就是:

Traceback (most recent call last):
  File "updateMaster.py", line 101, in <module>
    cursor.execute("SELECT 'N_NUMBER' FROM %s", (TABLE_NAME,))
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
    self.errorhandler(self, exc, value)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
    raise errorclass, errorvalue
_mysql_exceptions.ProgrammingError: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''testmaster'' at line 1")

我还尝试了文档为.execute()方法推荐的pyformat风格的语法,但仍然收到了相同的错误。pyformat样式看起来像:

cursor.execute("SELECT N_NUMBER FROM %(table_name)s", {'table_name':TABLE_NAME})

当我尝试直接将表名插入命令字符串时,该命令会起作用,这让我怀疑它与%s有关。怎么了?

不能参数化表名或列名。在意识到SQL注入攻击的可能性的同时,改为:

cursor.execute("SELECT N_NUMBER FROM {}".format(TABLE_NAME))

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium